1 / 20

Thomas D. Anthony Frost Brown Todd LLC Attorneys at Law 201 E. Fifth Street Cincinnati, Ohio 45202

Development of your Company’s Record Information System and Disaster Preparedness The National Emergency Management Summit. Thomas D. Anthony Frost Brown Todd LLC Attorneys at Law 201 E. Fifth Street Cincinnati, Ohio 45202 (513) 651-6191 TANTHONY@FBTLAW.COM February 4, 2008 Track 2.07.

zeroun
Download Presentation

Thomas D. Anthony Frost Brown Todd LLC Attorneys at Law 201 E. Fifth Street Cincinnati, Ohio 45202

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Development of your Company’s Record Information System and Disaster PreparednessThe National Emergency Management Summit Thomas D. AnthonyFrost Brown Todd LLC Attorneys at Law 201 E. Fifth Street Cincinnati, Ohio 45202 (513) 651-6191TANTHONY@FBTLAW.COM February 4, 2008 Track 2.07

  2. Principal Purposes • Efficient and effective management; • Good business practices; • Destruction and elimination; • Adherence to laws and regulations; • Avoidance of fines, sanctions, obstruction of justice charges; • Avoidance of spoliation of evidence; • Safeguard and back-up records; • Protection of individuals and their information. 2

  3. Business Requirements • Products or services; • Dependence on product designs, blueprints, specifications, formulas; • Use of plans, operational models and manuals; • Use of data banks of individual information; • Training and safety under OSHA, etc.; • Purchasing methods and protocols; • Intellectual property, sales and marketing literature; • Information technology, accounting and management; • Other business rules of the organization. 3

  4. State Law Regulatory Agencies • Banking • Utilities • Real Estate • Tattoos • Health Care • Uniform Preservation of Business Records Act • Data Breach Notification Acts 4

  5. Federal Laws • Section 6801 and 6805(b)(2) of the Gramm-Leach-Billey Act, 15 USC Section 6801; • Section 552 of the Freedom of Information Act; • Section 552(a) of the Privacy Act; • The National Archives in Records Administration, 44 US Code Chapter 21; • The Federal Records Act, 44 US Code Chapter 21; • The Federal law on disposal of records, 44 US Code Chapter 23; • The Internal Revenue Code; • The Paper Reduction Act, 44 US Code Chapter 35; • The Health Insurance Portability and Accountability Act of 1996 (HIPPA), 42 US Code 1320d-2(d)(2); • The Sarbanes Oxley Act of 2002, Public Law 107-204; • The Administrative Procedures Act, 5 US Code Chapter 5; • The PATRIOT Act; • The Environmental Protection Act. 5

  6. International Laws • The Safe Harbor Act which was adopted in 1998 by the European Union and also known as the European Union Data Protection Directive. • The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). • France: CNIL Guidelines. • Ireland: Data Protection Acts of 1998 and 2003. • Germany: Federal Data Protection Act. • Italian: Personal Data Protection Code. • Asian Pacific: Economic Conference privacy principles. 6

  7. The Seven Steps 1. Form the management team. 2. Create the response team. 3. Categorize all records. 4. Identify all retention requirements. 5. Prepare the record retention policy. 6. Prepare the backup and retrieval plan. 7. Train all parties on response and their roles in it. 7

  8. Formation of Management Team • Legal Department • Tax Staff • Information Technology • Senior Management • Review record retention policies of other companies • Create timelines, milestones, and targets • Leadership “buy-in” and enforcement 8

  9. The Response Team • The team leader = in-house counsel • Information technology • Litigation support specialists • Outside counsel • Attorney-client privilege • Outside storage vendor • Communications team 9

  10. The Response • Quick and efficient implementation of the response plan • Business copies and personal copies. • All forms of media • All forms of electronic equipment • Educate IT personnel • IT backup schedules, retention and destruction protocols, networks, e-mail servers, and the electronic mapping • Back up mapping and management • IT for business purposes only • “Blind” copies easily revealed • Halt destruction • FRCP rule 16(c) and 16(h) pretrial conferences 10

  11. The Response • Relevance and Privilege • Engage crisis communications group • Use intrusion detection technology • Internal notification of data security breaches • Plan for data security breaches • Adopt measures to contain and control breaches • Formulate crisis communications content 11

  12. The Response • Identify law enforcement agency contacts • Prepare written procedures for notification of victims • Conduct assessment of scope of breach • Notify affected individuals as soon as possible • Deploy crisis communications plan 12

  13. Notification • By email • Conspicuous notice on website • Notice to major media outlets – 75% of population • At least ¼ page ads in newspapers for 3 weeks • No less than 45 days within discovery of event 13

  14. Sort by Category and Format • Letters • Email • Corporate Records • Contract • Business Records • Written • Electronic Folders 14

  15. Retention Requirements 1. Statutes of Limitations 2. Business Needs 3. Historical Value 4. Legal and regulatory requirements 5. Business and industry practices 15

  16. Prepare the Policy • Policy must be “reasonable” • To be reviewed by a hostile third party • Express desire to satisfy business and legal requirements • Specify rational for each retention period • Federal, international and state retention requirements • Consider and plan for possible disaster scenarios • Be conservative • Identify all official records • Identify official authority • Reasonably comprehensive • Avoid selective destruction • Create back up plans • Communicate back up plans to employees • Develop comprehensive communication plan 16

  17. Spoliation of Evidence • Never destroy records involved in litigation • Spoliation worse than damaging documents • Fines, penalties and more… 17

  18. Publishing, Training and Oversight • Distribute policy to all company personnel • Train on meaning, purpose, and operation • Practice disaster simulations • Practice dealing with all forms of media • All must comply • Periodically audit and revise • Senior management engagement and approval 18

  19. Documentation • Approvals of proper executives • General counsel, CIO, director of taxation, vice president or president • Policies, procedures, audits, revisions • Engage outside storage vendors • Operational implementation 19

  20. Document Destruction • Have clear plans and processes • Keep notes of what was destroyed, when, and by whom • Avoid appearance of selective destruction • No individual discretion • Impose litigation “Holds” • Create and follow business rules 20 Cinlibary 1805334

More Related